aws-lambda@0.1.2

Vulnerabilities

1 via 1 paths

Dependencies

18

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: aws-lambda
  • Introduced through: aws-lambda@0.1.2

Detailed paths

  • Introduced through: aws-lambda@0.1.2
    Remediation: Upgrade to aws-lambda@1.0.5.

Overview

aws-lambda is a command line tool deploy code to AWS Lambda.

Affected versions of this package are vulnerable to Command Injection. The config.FunctioName is used to construct the argument used within the exec function without any sanitization. It is possible for a user to inject arbitrary commands to the zipCmd used within config.FunctionName located in the file lib/main.js (line 78).

PoC by JHU System Security Lab

// aws-lambda-config.lambda
{"FunctionName": "& touch Song &", 
"PATH": "./"}
var root = require("aws-lambda");
root.deploy("aws-lambda-config");

Remediation

Upgrade aws-lambda to version 1.0.5 or higher.

References